fedora_base_design_working_group
LOGS 
15:00:12 <pknirsch> #startmeeting Fedora Base Design Working Group (2014-08-22)
15:00:12 <zodbot> Meeting started Fri Aug 22 15:00:12 2014 UTC.  The chair is pknirsch. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:12 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
15:00:17 <haraldh> <-
15:00:21 <pknirsch> #meetingname  Fedora Base Design Working Group
15:00:21 <zodbot> The meeting name has been set to 'fedora_base_design_working_group'
15:00:27 <pknirsch> heya haraldh :)
15:00:32 <haraldh> hey
15:00:47 <vpavlin> hey!
15:00:51 <haraldh> hah! sent two kernel patches today :)
15:00:53 <pknirsch> #chair haraldh vpavlin msekleta
15:00:53 <zodbot> Current chairs: haraldh msekleta pknirsch vpavlin
15:01:00 <pknirsch> #chair dgilmore masta
15:01:00 <zodbot> Current chairs: dgilmore haraldh masta msekleta pknirsch vpavlin
15:01:04 <msekleta> hey!
15:01:08 <pknirsch> heya everyone :)
15:01:25 * vpavlin just needs to lock the bike;)
15:01:33 <pknirsch> heh :)
15:01:50 <msekleta> haraldh, which subsystem?
15:02:01 <haraldh> efi
15:02:05 <pknirsch> nice haraldh !
15:02:08 <haraldh> and early microcode
15:02:14 <masta> hello
15:02:14 <pjones> that's a hell of a thing to say
15:02:15 * jreznik_q10 is here
15:02:23 <pknirsch> #chair jreznik_q10
15:02:23 <zodbot> Current chairs: dgilmore haraldh jreznik_q10 masta msekleta pknirsch vpavlin
15:02:49 <haraldh> pjones, well yeah... 5h of debugging, why the initramfs is not uncompressing
15:02:51 <pknirsch> ok, lets get started then. vpavlin asked me to pull the later 2 topics earlier as he was traveling
15:03:00 <pjones> ugh
15:03:03 <pknirsch> :/
15:03:13 <pknirsch> #topic Subpackage config file discussion
15:03:29 * masta notes pjones appears when one mentions efi
15:03:37 * pjones thought everybody knew that :P
15:03:41 <haraldh> :)
15:03:44 <pknirsch> alright, so first up the subpackage discussion for config file
15:04:15 <pknirsch> vpavlin i think wanted to send out an email about that. we discussed that in the hallway at Flock 1 1/2 weeks ago
15:04:32 <haraldh> have you seen what systemd now provides? a way to populate /etc and users with files from /usr
15:04:54 <pknirsch> ah
15:04:59 <vpavlin> yeah, sorry I wasn't able to do that yet..damn you Docker!
15:05:04 <pknirsch> heh :)
15:05:15 <haraldh> so, yeah
15:05:16 * pknirsch is running RHEL-7 docker images on RHEL-6 these days ;)
15:05:29 <haraldh> subpackage the /etc files and additionally add the systemd things to the main package
15:05:39 <dgilmore> hey all
15:05:45 <haraldh> you have my blessing for that
15:05:58 <pknirsch> haraldh, would that need additional changes to specfiles other than the subpackages?
15:06:03 * vpavlin nods
15:06:15 <haraldh> yes
15:06:19 <pknirsch> hm
15:06:27 <haraldh> but if you touch them, better only touch them once
15:06:32 <haraldh> in one go
15:06:33 <pknirsch> true dat
15:07:07 <poettering> haraldh: wassup?
15:07:12 <pknirsch> have you and vpavlin talked about the details? so when we send out that email to f-d people will understand :)
15:07:12 <haraldh> pknirsch, I invited poettering :)
15:07:18 <pknirsch> ah, cool, thanks poettering !
15:07:23 <pknirsch> and thanks haraldh
15:07:26 <vpavlin> we talked about this with haraldh on flock that we should do it as one thing and I agree
15:07:47 <haraldh> poettering, the new /etc and user populating mechanism of systemd
15:07:57 <haraldh> poettering, want to give a short summary?
15:08:05 <vpavlin> haraldh let's talk about it next week and I'll write it up and send
15:08:08 <haraldh> poettering, maybe also about the rpm macros you added?
15:08:23 <haraldh> doesn't hurt, if they are mentioned here
15:08:58 <dgilmore> dont forget rpm macros and changes here will need fpc arrpoval and packaging guideline changes
15:09:01 <haraldh> poettering, we want to subpackage the /etc files in "*-config" subpackages
15:09:06 <dgilmore> approval
15:09:07 * pknirsch nods to dgilmore
15:09:18 <poettering> hmm? "the /etc files"?
15:09:37 <haraldh> yeah, config files of packages
15:09:46 <poettering> dgilmore: tehre's already an fpc ticket for the rpm macros for sysuers, if those are what you are talking about?
15:10:02 <haraldh> poettering, if we touch those packages, we might also want to add your macros in one go
15:10:05 <poettering> haraldh: you want to split *all* rpms in two?
15:10:16 <poettering> haraldh: which macros precisely are you talking of?
15:10:21 <poettering> haraldh: the sysusers macros?
15:10:24 <haraldh> poettering, yes
15:10:27 <dgilmore> poettering: thats part of it. if we want to put config files in separate packages like haraldh is talking about that will need changes as well
15:10:31 <poettering> i am missing some context here apparently
15:10:39 <haraldh> poettering, and the factory mechanism
15:10:39 <pknirsch> ENOCONTEXT
15:10:45 <pknirsch> :)
15:10:48 <dgilmore> poettering: I thing all of us except for haraldh are
15:11:00 <haraldh> hmmm
15:11:03 <pknirsch> Maybe haraldh should do the summary then ;)
15:11:12 <poettering> i am not actually arguing for splitting up all RPMs in two, i think they should continue to ship the config
15:11:14 <haraldh> vpavlin, you go first :)
15:11:16 <vpavlin> poettering we would like to move config files stored in /etc to subpackages
15:11:29 <poettering> but we should also ship them in /usr/share/factory...
15:11:44 <haraldh> in the main package, if needed/wanted
15:11:48 <vpavlin> so that users can simply installed their *-config package to replace co figuration
15:12:02 <pknirsch> or package their own
15:12:08 <poettering> hmm, so suddenly i am the conservative here? ;-)
15:12:13 <pknirsch> hahahah
15:12:14 <haraldh> or remove them completly
15:12:27 <haraldh> and let s.th. else than rpm handle the config
15:12:28 <vpavlin> as long as the configs are in /usr they can stay in main pkg
15:12:42 <haraldh> vpavlin, right.. /usr/share/factory..
15:12:56 <haraldh> or as with systemd, are overridable with /etc
15:12:57 <poettering> does this really make sense? i mean, if people want to install without config, then maybe that should become an rpm switch, after all rpm knows already exactly what is config and what isn't due to %config
15:13:12 <pknirsch> good point
15:13:19 <pknirsch> like with %docs you mean?
15:13:20 <poettering> anyway, let me maybe summarize what i had in mind
15:13:22 <pknirsch> aka --nodocs?
15:13:34 <poettering> so, i want stateless systems
15:13:39 <poettering> so that we can boot up without /etc around
15:13:46 <poettering> and populate automatically what is necessary
15:13:51 <poettering> but only what is strictly necessary
15:13:54 <vpavlin> they want to install configs, but they have to override them by one shot scripts which is error prone
15:14:03 <poettering> we haven't figured out in all details how this all will map to fedora
15:14:11 <poettering> but what we do now is this:
15:14:28 <poettering> we want all RPMs to ship the pristine vendor configuration in /usr/share/factor/etc/*
15:14:40 <poettering> that we can easily diff vendor defaults with user changes
15:14:51 <poettering> simply by diffing /etc/ against /usr/share/factory/etc/
15:14:58 <dgilmore> poettering: that has some value
15:15:13 <poettering> but the main goal we have here is the "golden container" setup
15:15:18 <poettering> we want /usr to be fully self sufficient
15:15:19 * vpavlin agrees that having config in /usr would be awesome
15:15:21 <poettering> do replicate systems
15:15:34 <poettering> so, basically, if you want to "instantiate" an OS
15:15:57 <poettering> you just mount /usr as pristine vendor directory to some directory name /usr
15:16:01 <poettering> and then you can boot that up
15:16:05 <poettering> and /var and 7etc are added in
15:16:12 <poettering> now think about this, if you do this for 100x containers
15:16:19 <poettering> from the same /usr tree
15:16:34 <poettering> so, with systemd upstream this actually works pretty fine now
15:16:39 <poettering> at least with the basic sets of tools
15:16:49 <poettering> however, there are a couple of packages that currently are allergic to missing /etc
15:16:54 <poettering> atcually quite a few
15:17:05 <poettering> from the core OS that's most importantly dbus1 and pam
15:17:10 <jreznik_q10> how many? approximately
15:17:11 <poettering> dbus1 chokes on missing configuration
15:17:31 <poettering> and dbus1 is something we probably could move easily, the devs are friendly to our ideas
15:17:43 <poettering> but so far we didn't prep patches for that
15:17:58 <poettering> also becuase we mostly use kdbus now ;-)
15:18:03 <poettering> PAM is the bigger problem
15:18:18 <poettering> for PAM we prepped patches
15:18:26 <poettering> they are hanging since months in the PAM trac
15:18:40 <poettering> but i figure the pam maintainers are not so friendly to our ideas
15:18:49 <poettering> anyway, those are the two biggies from the basic OS
15:18:56 <haraldh> from my point of view, we can roll out the thing in two steps: first move config to subpackages and add the factory to the main package
15:19:06 <vpavlin> so you suggest to rather invest in moving things from /etc to /usr/share/factory and toss the subpackage thing, right
15:19:07 <poettering> we are fully aware that we cannot patch all software we ship to be compatible with empty /etc
15:19:10 <haraldh> then in the far future we just drop the subpackages
15:19:14 <poettering> wait i am not done yet
15:19:15 <poettering> please
15:19:16 <poettering> wait
15:19:30 <poettering> so, acknowledging the fact that a lot of software doesn't like /etc empty
15:19:39 <poettering> we beefed up tmpfiles a bit
15:19:57 <poettering> so that it is able to copy whole trees from /usr/share/factory to /etc
15:20:07 <poettering> you basically just add a line "C /etc/pam.d"
15:20:25 <poettering> and that means that /usr/share/factory/etc/pam.d" is copied → "/etc/pam.d" if it doesn't exist there yet
15:20:49 <poettering> it's our strategy to work-around upstream maitnainers who think empty /etc is stupid
15:20:56 <poettering> of coruse, we really see that as last resort only
15:21:06 <poettering> we really want softwrae to work without /etc by default
15:21:08 <walters> that also means that once you do an install, you'll never thereafter get any changes to the pam config dir that are made in the upstream defaults, right?
15:21:24 <masta> ok, so it sounds like rpm be made to default config install to the factory location path, and some sub-routine near the end copy them into /etc (possibly as rpmnew)
15:21:25 <poettering> but if we cannot have that, then we can just add a tmpfiles line to work around that, and copy if missing
15:21:45 <poettering> so, regarding updates
15:21:50 <poettering> it's actually a difficult problem
15:22:01 <haraldh> 3-way merge :)
15:22:02 <poettering> the "golden container" image thing i mentioned earlier is only half useful
15:22:06 <poettering> if we cannot actually update them
15:22:19 <poettering> so, we needed a strategy to facility "offline" updates
15:22:28 <poettering> where we can basically update a /usr tree with RPM somewhere
15:22:39 <poettering> and then, this gets replicated into the 100x instances of it
15:22:58 <poettering> for example, stuff like /etc/ld.cache and things need to be rebuild
15:23:03 <poettering> if /usr changes
15:23:11 <poettering> so, we added a very simple scheme for that
15:23:21 <poettering> howe certain tools can be run on a reboot
15:23:31 <poettering> if we figure out that /usr has changed since the last time we booted up
15:23:51 <poettering> the idea is then that we can update /usr at any time, in a snapshot kind of way
15:24:02 <poettering> then we simply restart the container instances with the new /usr version
15:24:07 * pknirsch nods
15:24:20 <poettering> and we run a handfull of additional services that will replicate changes to /etc and /var that we really have to do
15:24:38 <poettering> of course, we updated systemd itself to make use of that
15:24:49 <poettering> for example, we now ship an ldconfig service that rebuilds the cache
15:24:57 <poettering> and sysusers and stuff is run like this
15:25:00 <walters> but for the scenario of config files, are you thinking that say gdm would ship a systemd service that would compare its new config file versus the old and copy over manually if the config file hasn't been modified?
15:25:21 <poettering> so that if a package wants a new user to be added, it just adds the sysuser file, and on next reboot of the instances, we get the new user added to /etc in early boot
15:25:25 <pknirsch> shouldn't that be done by a general framework, walters ?
15:25:30 <poettering> this all is implemented using normal services btw
15:25:43 <walters> pknirsch, it's how ostree works
15:25:47 <poettering> but there's a new ConditionUpdateNeeded= that conditionalizes these services
15:26:13 <pknirsch> i don't think packagers would like the idea to modify all their packages to check for modified config files, something rpm has "taken care of" for them in the past
15:26:20 <poettering> walters: well, i really hope we never have to patch config files
15:26:23 <pknirsch> (arguably badly, but at least it did in some form)
15:26:44 <poettering> walters: but yeah, if we really really have to patch some, then there would have to be a service that is conditionalized on upgrades and does that
15:26:47 <walters> poettering, from this time forward, /etc/pam.d/cockpit should never change?
15:27:03 <poettering> walters: but in general, there shouldn't be a gdm config file anyway in /etc, right?
15:27:19 <poettering> walters: so if an admin adds one, then that coutns and we shouldn't fuck with it on upgrades
15:27:41 <poettering> walters: well, /etc/pam.d/cockpit should be /usr/lib/pam.d/cockpit or so
15:27:41 <walters> but you were suggesting the system copy /etc/pam.d, that's not the admin's doing
15:27:50 <poettering> and if people want to edit it, they copy it
15:27:54 <poettering> and edit it, and we won't fuck with it
15:28:06 <poettering> but the entire idea here is that /etc is minimal
15:28:12 <pknirsch> poettering: how could we then still notify the admin that the default config file changed though? so that he has a chance to actually check if he needs to do something about it? (see rpmsave resp rpmnew files previously)
15:28:26 <poettering> and vendor config is either built into programs, or lies around in /usr/share and /usr/lib
15:28:43 <poettering> and that /etc is really primarilly admin territory
15:28:49 <poettering> and we try to stay away from it
15:28:55 <poettering> and if the admin drops-in a file there
15:28:58 <poettering> that's the file that counts
15:29:04 <poettering> and we will not patch it
15:29:08 <poettering> or fuck it up otherwise
15:29:16 <poettering> pknirsch: well, that's what we have the factory stuff for
15:29:26 <poettering> pknirsch: we want a powerful diff tool
15:29:30 <pknirsch> ahh
15:29:31 <pknirsch> right
15:29:39 <poettering> that can inform users about differences between vendor config in factory
15:29:43 <poettering> and what he actually is running
15:29:44 * pknirsch nods
15:29:51 <poettering> systemd-delta in a way is already that
15:29:54 <pknirsch> that would be awesome actually
15:29:55 <walters> (as ostree can do today)
15:30:01 <poettering> but doesn't actually understand /usr/share/factory
15:30:03 <pknirsch> much better than the rpmsave crap we have
15:30:26 <poettering> but i figure we'll update systemd-delta accordingly to also diff all of /etc to /usr/share/factory
15:30:35 * pknirsch nods
15:30:40 <poettering> so, anyway, it's a lot of pieces of a puzzle to get right
15:30:43 <pknirsch> yea
15:30:51 <poettering> but i think in the end we have very clear definitions of what is in /etc
15:30:54 <poettering> and what is in /usr
15:31:06 <pknirsch> mhm
15:31:09 <poettering> we have nice tools for admins to figure out what chanegs they made
15:31:17 <poettering> we can replicate systems nicely
15:31:23 <vpavlin> so, what would you suggest tobdo from Fedora pov now, poettering?
15:31:25 <pknirsch> and services or apps that use subdirs for configuration would be even better of.
15:31:28 <poettering> we can "offline" update instances nicely, and so on
15:31:41 * pknirsch thinks about unmodified httpd.conf and http/conf subdirs
15:31:54 <poettering> first thing i would want from fedora
15:32:09 <poettering> is that RPM implicitly copies all files marked %config into /usr/share/etc
15:32:18 <poettering> that would already bring us a big step ahead
15:32:34 <haraldh> I asked ffesti to do that..
15:32:34 <poettering> also, we should get started making the most basic packages compatible with /etc being totally empty
15:32:37 <poettering> notable PAM
15:32:44 * vpavlin nods
15:32:47 <pknirsch> mhm
15:32:48 <poettering> oh, and one clarification
15:33:01 <haraldh> but I don't think we will get it in the next year... except pknirsch makes some pressure :)
15:33:02 <poettering> things like apache of course will not work without /etc containing their configs
15:33:21 <poettering> but i think that that is actually totally fine, since apache is one of those things that are not useful without admin config anyway
15:33:33 <poettering> so, we really should focus on packages that are supposed to "just work"
15:33:38 <pknirsch> right
15:33:39 <poettering> and that nobody installs explicitly
15:33:52 <walters> yeah, agreed with that
15:34:00 <poettering> there are a couple of non-obvious things that need to be made compatible with this scheme too
15:34:04 <poettering> like for example /etc/services
15:34:06 <pknirsch> how do you handle /etc/passwd and /etc/shadow ?
15:34:09 <walters> (note intersection with the issue of wheteher or not services start by default)
15:34:10 <dwalsh> Will require changes to SELinux. but it is something we have wanted to do for a while.
15:34:24 <poettering> /etc/services should move to /usr/share/services or so
15:34:41 <poettering> and glibc should first use /etc/services, and on ENOENT fall back to /usr/share/services
15:34:49 <poettering> so that admins can make changes
15:34:55 <poettering> even though probably nobody does anymore
15:35:07 <poettering> i mean, that's the good thing about /etc/services, nobody uses that anymore...
15:35:11 <haraldh> yeah, we should git grep through glibc and add fallbacks from /usr
15:35:13 <poettering> hence we can ignore it for a while
15:35:20 <poettering> but for full funcitonality we do need to cover that
15:35:26 <poettering> this means changes to glibc
15:35:26 <dwalsh> /etc/resolv.conf?
15:35:48 <dgilmore> poettering: it quite possibly means changes to a lot of packages
15:36:18 <haraldh> dgilmore, one way or the other... but better progress :)
15:36:58 <poettering> dgilmore: yupp!
15:37:00 <masta> yeah, I expect this to have a good bit of churn
15:37:09 <poettering> dgilmore: but then again, tmpfiles is a way out for the hard cases
15:37:20 <msekleta> however proposal for splitting config files to separate subpackages was in a way about something different, if I am not mistaken
15:37:29 <poettering> dgilmore: tmpfiles is basically our way how we can make this transition more slowly
15:37:44 <dgilmore> some configs are expected to never be edited
15:37:44 <vpavlin> msekleta you wouldn't need that if all goes well
15:37:44 <poettering> dwalsh: /etc/resolv.conf should be a symlink to some file in /run
15:37:52 <poettering> dwalsh: it's awful that NM touches /etc all the time
15:37:56 <dgilmore> perhaps we should have somewhere to put them
15:38:09 <poettering> dwalsh: /etc really should be considered read-only for services, unless they are configuration management daemons, which NM is not
15:38:28 <msekleta> vpavlin, so will not pursue this further and will focus on getting lennart's idea to work then?
15:38:45 <poettering> ah, here regarding RPM now
15:38:51 <dwalsh> poettering, I agree 100%
15:39:08 <poettering> i think actually, that most RPMs should continue to install their configuraation to /etc, since most admins expect that
15:39:11 <dgilmore> poettering: making /etc/resolv.conf breaks many many things and is going to have to be handled carefully
15:39:15 <walters> where should NM write state instead?  /var ?
15:39:31 <poettering> however, i think we should work on fixing these packages to not actually require them during runtime
15:39:50 <poettering> and the config files shoudl alaways end up in both /etc *and* in /usr/share/factory/etc
15:40:06 <poettering> and it might be nice to have an RPM mode, where it doesn't bother with dropping them in /etc
15:40:13 <poettering> and only puts them in /usr/share/factory/etc
15:40:21 <poettering> walters: /run
15:40:24 <dwalsh> Random tools/services writing random crap into /etc has been a bane to SELinux existance.
15:40:26 <poettering> walters: networkd already does that
15:40:37 <vpavlin> poettering do you thing it's possible to get it to F22? Of not, I'd still pursue subpackages..
15:40:38 <walters> poettering, er...i want to be able to have my wireless network choices be persistent
15:40:38 <poettering> walters: /run/systemd/resolved/resolve.conf
15:41:00 <dgilmore> walters: I agree there
15:41:15 <poettering> walters: ok, you are talking about those. they should probably be in /var for system-defined ones, and in $HOME for user-defined ones
15:41:21 <dgilmore> walters: and vpn connections
15:41:39 <walters> poettering, you do realize NM started out that way, and went through a *really* painful transititon to system connections
15:41:46 <poettering> walters: but honestly, the fact that NM currently stores wlan passwords unencrypted in /etc is really awful
15:42:14 <walters> well
15:42:14 <dgilmore> poettering: you do realise that NM is running in a legacy compat mode
15:42:22 <dgilmore> and was designed to do things differently
15:42:40 <walters> it turns out a lot of people want the ability to have their network connect before they've logged in
15:42:41 <poettering> walters: well, i am totally fine if NM stores wlans in /etc, if it wants to. what i am not fine about is that it keeps touching /etc/resolv.conf
15:42:53 <walters> yeah no one disagrees about resolv.conf
15:42:54 <poettering> walters: i mean, in a way if you connect to a *new* wlan, this is kinda configuration
15:42:59 <poettering> walters: hence writing to /etc might be fine
15:43:04 <walters> right
15:43:16 <poettering> walters: but when i reconnect to known networks, that's not configuration changes, that's just reconnecting
15:43:26 <poettering> and reconnecting should cause /etc to be modified
15:43:37 * vpavlin will have to go in 15mins :(
15:43:49 <poettering> anyway, that's kinda what i have in mind
15:43:58 <poettering> so, what i'd really like to see is:
15:44:09 <poettering> a) rpm populates /usr/share/factory by default
15:44:17 <poettering> b) rpm gets a new switch --noconfig or so
15:44:40 <poettering> c) we start fixing PAM, glibc to always look in /usr/lib if a file is missing in /etc
15:44:56 <poettering> d) we start working on adding tmpfiles snippets for the other packages
15:45:11 <poettering> but as mentioned, even without all this, things work surprisingly well already
15:45:19 <poettering> btw, i updated nspawn with some siwtches to test this all
15:45:43 <poettering> in the version in rawhide there is now a new switc --volatile
15:45:52 <poettering> it takes three values:
15:46:20 <poettering> --volatile=no is the default, an means you get /usr, /var, /etc from whatever you point it to
15:46:22 <vpavlin> haraldh - you said you are talking to rpm guys, right?
15:46:40 <poettering> --volatile=yes you get a tmpfs as /, and /usr mountd in from where you point it
15:46:45 <pknirsch> maybe it would help vpavlin if you talked with jzeleny, too
15:46:53 <dwalsh> Will /etc/machine-id be moving?
15:46:57 <vpavlin> sure thing
15:47:00 <pknirsch> coolio
15:47:01 <poettering> --volatile=state you get /usr and /etc from where you point it to, plus /var being tmpfs
15:47:20 <poettering> these three models are kinda what we want to focus on
15:47:31 <poettering> i also plan to add a kernel cmdline option to map this
15:47:31 <haraldh> vpavlin, I said, I was.... I am not constantly nagging..
15:47:39 <pknirsch> heh
15:47:39 <poettering> dwalsh: it already moved
15:47:45 <dwalsh> Where is it now?
15:47:48 <poettering> dwalsh: oops, sorry
15:47:51 <poettering> dwalsh: i am confused
15:47:52 <haraldh> vpavlin, nagging from different sides would definitely help :)
15:47:57 <poettering> /etc/machine-id actually stays where it is
15:48:06 <poettering> /etc/os-release howver moved to /usr/lib
15:48:13 <poettering> /etc/machine-id is inherently per-instance information
15:48:20 <poettering> it is the identity of a machine instance
15:48:23 <poettering> hence belongs in /etc
15:48:31 <vpavlin> haraldh ok:) I nag somebody all the time..no problem to add few more people;)
15:48:35 <walters> poettering, somewhat as an aside, i'd also like initramfs to be immutable, so it'd be quite nice if the machine id was a kernel commandline argument (or dracut knew how to pick it up from a secondary initramfs)
15:48:42 <poettering> we moved /etc/os-release however, since that realy just describes the OS as it is vendor-supplied in /usr
15:48:56 <dgilmore> walters: eww
15:49:03 <walters> (more generally, everything dracut computes locally and stashes in the initramfs were either a kernel cmdline, or a secondary initramfs)
15:49:10 <dgilmore> there is things in the initramfs I wish were not
15:49:11 <poettering> walters: if /etc is found empty, we will generate one add write it there
15:49:35 <poettering> walters: where "generate" means, either randomize it, or pull it out of qemu's bios supplied machine uuid, or nspawn's --uuuid= cmdline
15:50:06 <haraldh> dgilmore, like?
15:50:07 <dwalsh> How about a environment variable?
15:50:13 <poettering> walters: i mean, if we allow provisioning of the uuid via qemu's -uuid or nspawns --uuid= switch, then i figure we can also allow it on the kernel cmdline
15:50:19 <poettering> though i do wonder what your usecase is...
15:50:24 <dwalsh> Trying to figure a way to populate for docker images.
15:50:42 <poettering> dwalsh: i think docker should just implement the ContainerInterface stuff
15:50:51 <poettering> dwalsh: http://www.freedesktop.org/wiki/Software/systemd/ContainerInterface/
15:50:57 <poettering> dwalsh: it should just set $container_uuid
15:51:02 <poettering> dwalsh: that's where we pick it up from
15:51:03 <dwalsh> poettering, Upstream is not very responsive :^(
15:51:13 <dgilmore> haraldh: all the mount info. ive had quite a few times changing disks and ive had to use a resuce environment to recover things, and by rescue booting media in rescue mode. as the rescue kernel initramfs have not worked
15:51:27 <dwalsh> Ok so we set container_uuid, systemd would populate.
15:51:39 <poettering> dwalsh: only when /etc/machine-id is missing!
15:51:47 <dwalsh> Right.
15:51:54 <dgilmore> dwalsh: our docker base images will not have systemd in them
15:51:55 <haraldh> dgilmore, install dracut-config-generic
15:51:55 <poettering> dwalsh: i.e. if you set container_uuid but there's already an /etc/machine-id from a previous one, we won't change it
15:52:17 <pknirsch> as that instance already has it's id
15:52:23 <dwalsh> Only last problem is the UUID of docker is much longer then /etc/machineid is allowed.
15:52:45 <haraldh> dgilmore, or use --no-hostonly-cmdline / hostonly_cmdline="no"
15:53:02 <poettering> dwalsh: hmm, then it's probably not a uuid
15:53:08 <poettering> dwalsh: uuids are always 128bit...
15:53:17 <poettering> dwalsh: but you can just truncate it
15:53:26 <poettering> dwalsh: but why would they ever use a longer one?
15:53:38 <dgilmore> poettering: because they can
15:53:57 <dwalsh> 00eece37864040d3f5ca77e51a779859908277f43bb98f8bb00685f77bae9b35
15:53:57 <poettering> i mean, do they really believe that they need mor docker containers than grains of sand on this world?
15:54:05 <poettering> they are stupid, if i may say so
15:54:09 <vpavlin> ok, I'll leave, I am not going to be here for next topic anyway..thanks for explanation poettering, I'll talk to jzeleny
15:54:28 <dwalsh> poettering, I'll pass that along.  :^)
15:54:29 <dgilmore> seeya vpavlin
15:54:34 <vpavlin> have a nic weekend all
15:54:37 <pknirsch> cya vpavlin !
15:54:52 <moben> have a nice weekend vpavlin!
15:55:34 <pknirsch> so  now that vpavlin is gone, we can all agree he's doing all the writeup of this, right? ;)
15:55:45 <masta> hehe
15:55:47 <poettering> anyway, so far our ideas
15:55:53 <poettering> or actually
15:55:57 <poettering> one more thing: sysuers
15:56:03 <poettering> we already had a discussion on fedora-devel
15:56:10 <poettering> which resulted in a couple of things
15:56:18 <poettering> which i all implemented in the most recent systemd
15:56:23 <poettering> now i just need to update the FPC bug
15:56:36 <poettering> there's one nasty thing there
15:56:36 <pknirsch> nice!
15:56:39 <poettering> which is this:
15:56:47 <poettering> sysusers is supposed to cover both usecases:
15:57:14 <poettering> "offline" updates as i decribed above, where a new file is dropped into /usr/lib/sysusers.d/, and then is worked on on next boot
15:57:30 <poettering> and "online" updaets as we always did them with RPM, i.e. create users from scriptlets
15:57:40 <poettering> now, for the latter case we actualy supply two RPM macros
15:57:45 <poettering> but there's the nastiness:
15:58:04 <poettering> we want to create these users based on definitions in the files we ship in /usr/lib/sysusers.d/
15:58:24 <poettering> but there might be files in the RPM that shall be owned by users that we want to create
15:58:33 <poettering> so there's a chicken and egg problem
15:58:35 <pknirsch> ugh
15:58:40 <poettering> we want to create the users based on files we just dropped in
15:58:54 <poettering> but before dropping in the files we want to create the users, so that the files can be owned by them
15:59:05 <poettering> so, this is awful
15:59:11 <poettering> we thought about this for quite a while now
15:59:16 <poettering> our proposed solution is this:
15:59:31 <poettering> we added a sysusers switch so that users can also be created based on the user defintions from stdin
15:59:46 <poettering> the idea is then that packages can choose between two macros:
15:59:57 <poettering> %sysusers_create()
16:00:18 <poettering> which should be added to %post, and which just adds in all users from the just-dropped-in sysuers files
16:00:28 <poettering> if you use that macro, you cannot make files owned by these users
16:00:38 <poettering> and then there's %sysusers_create_inline()
16:00:53 <poettering> where you can specify the precise "sysusers" line directly inside of the RPM macro invocation
16:01:00 <poettering> that's what people should use in %pre
16:01:09 <poettering> to create users before we drop in the first files
16:01:20 <poettering> thankfully, the number of packages that needs this is not thaaaat big
16:01:32 <poettering> most files owned by non-root in RPM are actually in /run and /var
16:01:53 <poettering> /run doesn't matter too much here i figure, since most files there should be %ghosted by now
16:02:20 <poettering> which leaves /var, where this is annoying, but we have to deal with it
16:02:24 <poettering> btw, speaking of /var
16:02:49 <poettering> while many packages are allergic to /etc being empty, packages in fedora are generally a lot more friendly regarding booting up with empty /var
16:03:00 <poettering> that pretty much just works with everything i tested
16:03:04 <poettering> it's kinda amazing
16:03:18 <poettering> anyway, i need to write up the new sysusers stuff and add it to the FPC ticket
16:03:18 <pknirsch> heheheh
16:03:24 <poettering> so that they can bless it or so
16:03:33 <poettering> unless anybody has a better diea
16:03:35 <poettering> idea
16:03:37 <pknirsch> thanks poettering for the very detailed explanation
16:03:51 <poettering> btw, i'll do a talk about all of this at linuxcon
16:03:58 <poettering> in düsseldorf in october
16:04:11 <pknirsch> and i think the split into 2 macros is necessary to split the chicken and egg problem
16:04:17 <pknirsch> cool
16:05:06 <walters> poettering, amazing, or I was starting that ~2 years ago and submitting patches...
16:06:44 <pknirsch> oki, any questions anyone after this? :)
16:07:04 * pknirsch thinks we've kinda run out of time today as quite a few need to leave already soonish :(
16:07:57 <pknirsch> ok, i think either no questions or everyone else fell asleep ;)
16:08:24 <walters> http://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=e7add58aad1bb5eca28360c9c7a1a3956261c7df
16:08:26 <walters> for example
16:08:56 <pknirsch> mhm
16:09:14 <walters> https://bugzilla.redhat.com/show_bug.cgi?id=1097314 for a more recent one
16:09:48 <pknirsch> Ok, thanks again poettering for coming to our meeting today and going into so much detail. That'll make a more concrete writeup for vpavlin much easier and we can then see where we go from there
16:10:09 <pknirsch> Other topics will have to wait till next week i'm afraid, but thanks everyone for joining today!
16:11:56 <pknirsch> #endmeeting
Meetbot Logs © 2021-2022 Fedora Websites and Apps Team (Sources)